[apparmor] AppArmor 2.8.95 without out-of-tree kernel patches?

John Johansen john.johansen at canonical.com
Sat Jun 14 04:54:18 UTC 2014 

Sorry these got lost in the mail black hole and I would have completely
missed them if they hadn't been pointed out to me. I am missing the
original message ids so, this is being done as a new message quoting
the originals

>> Hi,
>>
>> it's being discussed [1] what version of the AppArmor userspace we'll
>> ship in Debian Jessie.
>>
> That is, most likely: 3.16. In case it changes anything wrt.
> the timing of pushing AppArmor patches to Linux mainline.
>
There might be a few but nothing significant

>> On the kernel side, most likely we'll have what is in the mainline
>> version of Linux that is chosen for Jessie; possibly a few backports
>> of things that land into mainline after this kernel is released might
>> be added on top, but I don't think we'll have any out-of-tree patches.
>>
the situation here is better as the main interface patches have landed,
now its just the extended mediation patches, most of which are dependent
on the core rework.

>> On the userspace side, we currently have 2.8.0 (!), and hopefully
>> we'll get 2.8.3 soonish. For Jessie, I think we basically have to
>> choose between 2.8.3 and 2.8.95.
>>
2.8.4 should be out in a few weeks

also I expect the next 2.9 beta, which will be 2.8.96 will also ship
in a few weeks. The reason we do the betas as 2.8.XX where XX is a
big number is incompatibilities between rpm and debian packaging
around naming (2.9~Beta1, and different similar names caused problems
with one or the other).

>> I've read on the relevant Ubuntu freeze-exception request [2] that
>> AppArmor 2.8.95 was tested with Ubuntu kernels, with and without the
>> ptrace and signal mediation ones.
>>
yes, part of the testing is against the vanilla upstream kernel.

>> That's good to know, but I'm wondering if anyone has tested AppArmor
>> 2.8.95 without out-of-tree kernel patches at all, using this
>> combination in production, and/or shipping it to users.
>>
I have run tests on it, and brought up systems with it. It should work
but I can't say I know of anyone shipping 2.8.95 with a vanilla kernel.

>> Has anyone here any experience to share on this topic?

Basically we try to keep apparmor kernel and userspace somewhat independent.
That is the kernel tries to maintain backwards compatibility with older
userspaces, and newer userspaces try to remain compatible with older kernels.

Ubuntu does have some combinations that do test some of these configurations.
Eg. the backport kernels take the newer kernels and put them on older
userspaces.  So we have a trusty (3.13 kernel + out of tree patches) back
on precise with is basically a 2.8 userspace.

At the moment Ubuntu doesn't support a newer userspace on older kernels but
part of the validation process (for apparmor) is testing against vanilla
upstream. 

The regression tests on the 2.8.95 userspace check the kernel for supported
features and run different tests.

While old userspace to new kernel, and new kernel space are pretty good,
where we currently run into problems is policy. Old userspaces don't like
new policy with knew unknown rules, and old policy on new userspace + kernels
may interpret missing rules as lack of permission instead of the policy
having been authored for an older version.

We have plans to address this but they are done yet.

Basically policy will pick up some version tagging, some new compiler
defined variables, and there will be a template rule type to allow defining
rule patterns the compiler doesn't know about.

An older compiler (parser) will be able to deal with knew unknown rule types
via some includes that tell the parser what to ignore, older parsers won't
compile the rule but will be able to successful ignore it. And newer parsers
will be able to pick out semantics due to version tagging.

It sounds like a lot but it is going to be needed for policy that is shipped
in different packages and should also help with sharing policy between distros


>> Thanks in advance!
>>
>> [And very sorry for not having followed-up yet on the thread I've
>> started about sharing profiles maintenance..]
>>
>> [1] https://bugs.debian.org/746764
>> [2] https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611

More information about the AppArmor mailing list